cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Performing SIC with Mgmt behind NAT

Hello,

I'm unable to perform the initial SIC between a gateway and a management behind a NAT. I went through all the posts regarding this matter without success. 

I've created a dummy object with the NATed IP and created the corresponding NAT rule between the private and NATed IP. The gateway performing the NAT is another Check Point device as well. I've tried with manual static NAT and using the "Add Automatic Address Translation rules" option under the management NAT section without success

The traffic is allowed in the gateway and I see the logs for the returning traffic as allowed and translated as well correctly, but running a tcpdump in the management the traffic does not reach the management, I only see SYN packets and retransmissions. For some reason the traffic is being consumed by the gateway?

Management runs R80.10 and gateway R77.30.

Any ideas?

Thanks in advance.

Tags (3)
0 Kudos
6 Replies

Re: Performing SIC with Mgmt behind NAT

Do you have any other device in between NAT gateway and management server ?

0 Kudos

Re: Performing SIC with Mgmt behind NAT

No, just the Check Point cluster gateways.

0 Kudos

Re: Performing SIC with Mgmt behind NAT

0 Kudos

Re: Performing SIC with Mgmt behind NAT

Yes, I saw both. I tried creating a dummy host with the NAT IP and then creating a manual static NAT and also configuring the NAT properties on the real management object for the dynamic NAT.

What I don't understand is why in the auto-created NAT rule, the source and traslated IP address are the same, the internal IP. Shouldn't be the translated IP the specified in the "hide behind IP address"? 

Any ideas?

0 Kudos

Re: Performing SIC with Mgmt behind NAT

What you see in the Automatic NAT rule is the Object of the NATted host, in both Original an Translated column that looks a bit confusing and is one of the reasons why we mostly add the NAT ip in the comment, so that when you hover over the object it will show you both IP's.

Regards, Maarten
0 Kudos

Re: Performing SIC with Mgmt behind NAT

When I hover over I see the same IP which is the internal one, not the NATted. 

Really frustating this, can't make it work.